Security of our Information Systems
1 – Complexity and vulnerability
Modern information systems consist of a large number of hardware and software layers. Any of these hardware or software layers can be vulnerable and become the source of a security breach.
Security must therefore be considered in a global way and involves, first and foremost, simplifying information systems. Our information system is thus the result of multiple simplification choices, all of which aim to reduce its attack surface and therefore its vulnerability.
However, an information system should never, by its very nature, be considered completely secure. For this reason, we cannot guarantee you an absolute security of our information system. Vulnerabilities will always appear randomly and we will never be immune from the possible exploitation of one of them. However, we can guarantee you a very good relative security with the delivery of professionally secured web solutions.
2 - Transparency and vulnerability
We have chosen to list below some of the security features of our information systems.
This may seem risky since it provides information to a potential attacker. This is often a reason given for not having to justify the security measures put in place.
For us, it is a risk worth taking. Transparency is a source of dialogue with our customers, who are the first to be interested in the security of our information systems. This transparency then becomes a source of improvement.
3 - Personal computers
Our personal computers are Apple MacBook Pro. Security updates of macOS and other installed software are immediately applied. Other updates of macOS and software used on these machines are researched and applied once a week.
These updates are detected through the App Store, CleanMyMac X and manually.
Our machines are protected by the Sophos security solution, which provides, among other things, real-time anti-virus protection and maintains a black list of websites not to be visited.
The Internet connections of the software installed on our personal computers are monitored using the Little Snitch solution.
Our personal computers are used for development and store all our data, at the same time, locally and remotely. Locally, the data is encrypted by macOS and protected by the macOS firewall. Remotely, this data is hosted by Tresorit. This Swiss solution allows end-to-end file encryption and version management. End-to-end file encryption ensures encrypted file storage in the cloud. Managing file versions is a better response to ransomwares than only backups.
4 - Mobile phones
Our mobile phones are Apple iPhones. iOS security updates are applied immediately. The hardware and software integration of Apple iPhone ensures that the iOS operating system is regularly updated throughout the use of these mobile phones.
We limit the professional applications used on these mobile phones to what is strictly necessary. These applications are G Suite, Skype, LinkedIn and AirBnB. No other professional applications and no personal applications such as facebook or Candy Crush are installed to reduce the attack surface of these machines.
Our password manager (see article 8 below) is not installed on our mobile phones. We do not access the administration system of our information system from our Apple iPhones.
5 - Web application servers
Our web application servers are hosted by the Finnish company UpCloud. They use the open source operating system Ubuntu Server 18.04 LTS with guaranteed support until April 2023. These Ubuntu operating systems are updated once a week after a full backup of the concerned servers.
Our servers are protected by a firewall and monitored by supervision software. In particular, the firewall allows only the necessary ports to be opened and may restrict access to authorized fixed IP addresses. The supervision software allows us, among other things, to detect abnormal activities on our servers and to inform us about them in real time.
Each virtual server is dedicated to a single client and a single application. The database(s) required for this application are also dedicated to this single client. Thus, a customer can never have access to another customer’s data.
Our servers can be located, at the customers’ choice, at :
- London (United Kingdom),
- Amsterdam (Netherlands),
- Frankfurt (Germany),
- Helsinki (Finland),
- San Jose (United States),
- Chicago (United States),
- or Singapore.
Our servers are fully backed up once a day.
Our servers are fully backed up before their operating system is updated.
These backups complement the backups performed at the level of web applications (see Articles 6 and 7).
6 - Websites - WordPress
WordPress is our only tool for designing our websites and those of our customers. WordPress is an Open Source solution supported by a very large community of developers and users. It is one of the most widely used Content Management Systems today.
WordPress security updates are applied immediately and automatically. Other WordPress updates as well as theme and extension updates are done once a week.
Our WordPress sites are protected by a security solution.
Access as administrators is immediately reported and verified. Users, internal or external, have access only to the functions they strictly need. All actions of administrators and users are recorded in real time in a logbook.
Our WordPress sites are backed up, at the application level, once a day. Backups are transmitted encrypted and archived in two separate data centers, one in France and the other in Holland. The proper execution of these backups is checked once a week. The operational capacity of these backups is tested once a month.
Our WordPress sites are also backed up, at the server level, along with the entire server, once a day (see article 5).
We use, on all our WordPress sites, only about twenty extensions that we have known and used for many years.
Our forms are protected by the Google reCaptcha V3 solution.
7 - Web applications - Laravel
Laravel is our only tool to design our web applications. Laravel is an Open Source solution supported by a very large community of developers. It is one of the most widely used PHP frameworks today.
Laravel’s security updates are applied immediately. Other updates of Laravel as well as updates of its additional components are done once a week.
The management of deployment, access, roles, backups and components used currently follows a selection, testing, deployment, development and stabilization process that is underway. We will communicate more security information about these Laravel-based web applications as they are further developed.
8 - Password manager
We use the KeePass XC Open Source password manager. The conformity of the downloaded code with the original code is checked before each update. We update KeePass XC as soon as each new version is released.
Each generated password is a strong password that is used only once in our information system.
The KeePass XC database is encrypted twice (in the application and during transfer) and stored in Tresorit.
Backups are made monthly and stored encrypted, on USB sticks, in two different physical locations.
9 - Two-Factor Verification
We most often use the FreeOTP Open Source two-factor verification solution. This solution is sponsored and published by Red Hat. We also use two-factor verification systems using SMS or email when they are the only ones available.
This two-factor verification is used for all critical components of our information system. This is particularly the case for:
10 - Monitoring and knowledge base
We maintain a comprehensive knowledge base dedicated to security on a daily basis, based on multiple sources of information. This allows us to learn about the vulnerabilities of our software solutions as soon as they are made public.
We apply security updates that address these vulnerabilities very quickly, usually within hours of their release.
This knowledge base is also used to raise our customers’ awareness of the ever-changing nature of IT threats.
11 - Principles for selecting solutions
We focus on Open Source solutions supported by large communities. In some cases, we choose proprietary solutions when justified by their excellence or specialization.
We prefer European solutions because they often offer more guarantees of security and privacy than, generally, solutions from the United States. In some cases, we use solutions from other parts of the world when they do not have equivalents in Europe.
When a European alternative solution appears and offers more security than our current solution, we set up a migration plan. This is what we did when we replaced the American Dropbox solution with the Swiss Tresorit solution.
12 - Financial independence
The security of your information systems also depends on the financial strength and independence of your subcontractors and suppliers. In the event of a takeover of the company, your data may be outsourced, shared or compromised. In the event of a business failure, your data may be temporarily unavailable or even lost.
WebZenitude is a financially independent company:
- 100% of its shares are held by its founder.
- It is developing by its own means without recourse to venture capital or debt.
- It is up to date with the payment of its taxes and social contributions.
- There are no ongoing customer disputes.
- Only invoices issued are recorded. Future invoices are not taken into account.
- Developments of our solutions are neither capitalized nor recorded. They are not subject to research tax credits.
WebZenitude does not foresee any change in its “slow growth” mode of development or in its financial independence.
Our customers can thus count on:
- our professionalism thanks to our slow and steady growth.
- our sustainability thanks to our financial independence.
- our resilience in the event of an economic recession thanks to a low and controlled break-even point.
13 - Metadata
Update Date : August 12, 2019
Version : 002
14 - Additional information
You can obtain this information by using our contact form.
We guarantee you fast answers.
35 chemin des Bourguignons
88160 - Le Thillot
SAS with a capital of 5.000 €
RCS Epinal : 813 629 060 00019
N° TVA : FR 47 813 629 060